I have two NAS setups (NAS1 main and NAS2 backup).
About a month ago, I setup a few replication tasks where I would PUSH data from NAS1 to NAS2.
This would generate independant decryption keys that I would store for future reference.
Due to some circumstances, I had to configure the replication tasks on NAS2 as a PULL request.
It is important to understand that both pools are encrypted with their own key.
I realized after finishing the first task, that the destination folder is encrypted without a way to download the keys to unlock the dataset, as shown below:
(Will include in the comments since it won’t let me post with embbeded images or links)
I included an image showing the tasks config below:
(Will include in the comments since it won’t let me post with embbeded images or links)
Since the “Include Dataset Properties” option is enabled, I thought the key to unlock the dataset would be the same key that originally encrypts it on the sending system, but it seems that key won’t work, and neither will the key that encrypts the pool on the receiving end.
On NAS1, I get all the folders inside the pool, all encrypted, the keyformat is hex and the top folder’s key location is prompt.
On NAS2, all folders that I’ve created show up, and the two folders that have synced already, show up in ENCROOT with their own name, keylocation is prompt, on all of them.
I think I am facing quite a similar issue here. I performed Replication Task from Nas A to Nas B. The MainStorage/Apps was replicated recursively with Child Dataset that inherited the encryption key of MainStorage/Apps, as shown below.
truenas_admin@truenas[~]$ sudo zfs list -t filesystem -r -o name,encryption,encroot,keyformat,keylocation MainStorage
[sudo] password for truenas_admin:
NAME ENCRYPTION ENCROOT KEYFORMAT KEYLOCATION
MainStorage off - none none
MainStorage/.system off - none none
MainStorage/.system/configs-ae32c386e13840b2bf9c0083275e7941 off - none none
MainStorage/.system/cores off - none none
MainStorage/.system/netdata-ae32c386e13840b2bf9c0083275e7941 off - none none
MainStorage/.system/nfs off - none none
MainStorage/.system/samba4 off - none none
MainStorage/Apps aes-256-gcm MainStorage/Apps hex prompt
MainStorage/Apps/NetBird aes-256-gcm MainStorage/Apps hex none
MainStorage/Apps/NetBird/Client aes-256-gcm MainStorage/Apps hex none
MainStorage/Apps/NextCloud aes-256-gcm MainStorage/Apps hex none
MainStorage/Apps/NextCloud/AppData aes-256-gcm MainStorage/Apps hex none
MainStorage/Apps/NextCloud/PostgresData aes-256-gcm MainStorage/Apps hex none
MainStorage/Apps/NextCloud/UserData aes-256-gcm MainStorage/Apps hex none
MainStorage/Apps/OpenWebUI aes-256-gcm MainStorage/Apps hex none
MainStorage/Apps/OpenWebUI/DataStorage aes-256-gcm MainStorage/Apps hex none
MainStorage/Apps/OpenWebUI/OllamaStorage aes-256-gcm MainStorage/Apps hex none
MainStorage/Apps/WikiJs aes-256-gcm MainStorage/Apps hex none
MainStorage/Apps/WikiJs/Data aes-256-gcm MainStorage/Apps hex none
MainStorage/ix-apps off - none none
MainStorage/ix-apps/app_configs off - none none
MainStorage/ix-apps/app_mounts off - none none
MainStorage/ix-apps/docker off - none none
MainStorage/ix-apps/truenas_catalog off - none none
However when the replication is completed, the replicated dataset on Nas B does not come with inherited encryption key and instead was broken down into individual encryption key. It still uses the same encryption key however I will have to manually input the key for each datasets which is troublesome.
I was expecting it to just require to unlock the MainStorage/Backup/Apps and it will then automatically unlock the rest.
truenas_admin@truenas[~]$ sudo zfs list -t filesystem -r -o name,encryption,encroot,keyformat,keylocation MainStorage
[sudo] password for truenas_admin:
NAME ENCRYPTION ENCROOT KEYFORMAT KEYLOCATION
MainStorage off - none none
MainStorage/.system off - none none
MainStorage/.system/configs-ae32c386e13840b2bf9c0083275e7941 off - none none
MainStorage/.system/cores off - none none
MainStorage/.system/netdata-ae32c386e13840b2bf9c0083275e7941 off - none none
MainStorage/.system/nfs off - none none
MainStorage/.system/samba4 off - none none
MainStorage/Backup off - none none
MainStorage/Backup/Apps aes-256-gcm MainStorage/Backup/Apps hex prompt
MainStorage/Backup/Apps/NetBird aes-256-gcm MainStorage/Backup/Apps/NetBird hex prompt
MainStorage/Backup/Apps/NetBird/Client aes-256-gcm MainStorage/Backup/Apps/NetBird/Client hex prompt
MainStorage/Backup/Apps/NextCloud aes-256-gcm MainStorage/Backup/Apps/NextCloud hex prompt
MainStorage/Backup/Apps/NextCloud/AppData aes-256-gcm MainStorage/Backup/Apps/NextCloud/AppData hex prompt
MainStorage/Backup/Apps/NextCloud/PostgresData aes-256-gcm MainStorage/Backup/Apps/NextCloud/PostgresData hex prompt
MainStorage/Backup/Apps/NextCloud/UserData aes-256-gcm MainStorage/Backup/Apps/NextCloud/UserData hex prompt
MainStorage/Backup/Apps/OpenWebUI aes-256-gcm MainStorage/Backup/Apps/OpenWebUI hex prompt
MainStorage/Backup/Apps/OpenWebUI/DataStorage aes-256-gcm MainStorage/Backup/Apps/OpenWebUI/DataStorage hex prompt
MainStorage/Backup/Apps/OpenWebUI/OllamaStorage aes-256-gcm MainStorage/Backup/Apps/OpenWebUI/OllamaStorage hex prompt
MainStorage/Backup/Apps/WikiJs aes-256-gcm MainStorage/Backup/Apps/WikiJs hex prompt
MainStorage/Backup/Apps/WikiJs/Data aes-256-gcm MainStorage/Backup/Apps/WikiJs/Data hex prompt
MainStorage/Backup/ix-apps off - none none
MainStorage/Backup/ix-apps/app_configs off - none none
MainStorage/Backup/ix-apps/app_mounts off - none none
MainStorage/Backup/ix-apps/docker off - none none
MainStorage/Backup/ix-apps/truenas_catalog off - none none
MainStorage/ix-apps off - none none
MainStorage/ix-apps/app_configs off - none none
MainStorage/ix-apps/app_mounts off - none none
MainStorage/ix-apps/docker off - none none
MainStorage/ix-apps/truenas_catalog off - none none
Am I doing something wrong here? Would really appreciate for your expertise as I have been experimenting with different replication configuration whole day.